At a Glance: Management Alert: EPA Still Unable to Validate that Contractors Received Role-Based Training for Information Security Protection


x-^tD sT/\f.
*. U.S. Environmental Protection Agency	20-P-0007
£ KM ro	October 21,2019
.	u.o. ciiviiuMiiiciiidi nuietu
	 \ Office of Inspector General
® I
At a Glance
Why We Did This Project
The Office of Inspector
General (OIG) for the
U.S. Environmental Protection
Agency (EPA) conducted this
follow-up audit to determine
whether the EPA completed
actions for Recommendation 3
in prior OIG Report
No. 17-P-0344. The
recommendation required the
EPA to maintain a list of
contractors required to take
role-based training (RBT) and
validate that all contractors
have completed RBT. We
further sought to determine
(1) whether EPA offices' fiscal
year 2018 certifications were
accurate and (2) what additional
steps are needed to verify
contractors' completion of RBT.
RBT is continuous education
that improves current
knowledge, skills and abilities
for a particular job function.
This report addresses the
following:
• Operating efficiently and
effectively.
Management Alert: EPA Still Unable to Validate
that Contractors Received Role-Based Training
for Information Security Protection
What We Found
The EPA continues to lack information to monitor
compliance with the following RBT requirements:
•	Confirming that contractor personnel completed
the required RBT.
•	Including RBT provisions in existing information
technology services contracts.
•	Maintaining a list of contractor personnel required
to complete RBT.
These weaknesses occurred because:
The EPA has limited
assurance that
contractor personnel
are maintaining skills
needed to combat
efforts to destroy,
steal or hold for
ransom the EPA's
systems and sensitive
information.
•	Most EPA offices did not validate that all contractors completed the
required RBT.
•	EPA Contracting Officer's Representatives were unfamiliar with RBT
requirements.
•	The EPA's directives did not explicitly designate who is responsible for
maintaining a list of contractors required to complete RBT.
As a result, only seven of 21 (33 percent) EPA offices submitted a complete
response by September 30, 2018, to the EPA's Chief Information Security Officer
certifying that contractors completed the required RBT. We are issuing this
management alert on these weaknesses because immediate improvements are
needed to verify that contractors are trained in their roles to protect agency
systems and data.
Recommendations and Planned Agency Corrective Actions
Address inquiries to our public
affairs office at (202) 566-2391 or
OIG WEBCOMMENTS@epa.gov.
List of OIG reports.
We recommend the Assistant Administrator for Mission Support (1) validate that all
EPA offices submit the annual RBT certifications, (2) train EPA Contracting
Officer's Representatives on mandatory RBT requirements, (3) implement a plan
to identify which existing information technology services contracts should
include RBT requirements, and (4) require EPA offices to maintain a list of
contractor personnel required to complete RBT. The EPA completed corrective
actions for Recommendations 1 and 4. The agency agreed to
Recommendations 2 and 3 but has not provided corrective actions or milestone
dates. Recommendations 2 and 3 are therefore unresolved.

-------